Emulators are being increasingly used by antivirus applications for analysis of computer program code for the presence of a malicious functionality. Such method is usually employed to analyze a code written in script programming languages. Generally, the emulator includes a syntactical analyzer (parser) and an interpreter. The syntactical analyzer converts the program code being analyzed into an intermediate code (such as byte code). The interpreter, using the intermediate code and an emulated execution environment, successively executes (i.e., interprets) the instructions of the intermediate code in accordance with the rules of interpretation. During the emulation, the code being analyzed has no access to the resources of the actual computer system, since its execution takes place in the emulated environment. Thus, the code being executed in the emulator cannot delete or alter files on the computer, read data from the files, or otherwise inflict harm on the computer system in which it runs.
At the same time, it is quite difficult to implement an emulator which is able to interpret all objects (functions, procedures and methods, instances of classes, and so forth) of a code being executed. Cybercriminals make use of this fact and often include rarely used objects in their program code. Therefore, if the returned value of a particular object (e.g., a function) does not correspond to the expected value of execution of this object, the malicious code “understands” that it is being executed inside an emulator and ceases its further execution or does not execute the malicious functionality, so as not to be detected.
In turn, the makers of antivirus applications strive to efficiently add rules of interpretation to the emulators for new objects included by cybercriminals in their malicious code. However, this usually requires a changing of the program code of the emulator itself. After each such change, a testing and debugging of the program code of the emulator is required and thus the updated version of the emulator cannot be provided efficiently to the users of the antivirus. A technical problem arises, consisting in the need for interpretation (i.e., execution by an interpreter) of instructions of an investigated program code that contain objects for which the interpreter lacks a rule of interpretation (i.e., a program code whose result of execution corresponds to the result of the execution of the corresponding instruction), without changing the actual program code of the interpreter. The object may be a procedure, a class instance, a method or variable of a class instance, a script or even a file.
However, the existing antivirus technologies often unable to detect malicious code containing objects for which the emulator, and more specifically its interpreter, lacks a rule of interpretation and thus does not solve the aforementioned technical problem.